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DETAILED ACTION 

Claims 1-33 are presented for examination. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the United 
States before the invention thereof by the applicant for patent, or on an international application by another 
who has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the 
invention thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act 
of 1999 (AIPA) and the Intellectual Property and High Technology Technical 
Amendments Act of 2002 do not apply when the reference is a U.S. patent resulting 
directly or indirectly from an international application filed before November 29, 2000. 
Therefore, the prior art date of the reference is determined under 35 U.S.C. 102(e) prior 
to the amendment by the AIPA (pre-AlPA 35 U.S.C. 102(e)). 

Claims 1-33 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Rowland, (U.S. Patent No. 6,405,318). 

Regarding claims 1 and 19, Rowland discloses a network intrusion detection 
system, comprising: 
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a processor, a memory accessible by the processor, a monitor application stored 
in the memory and executable by the processor, the monitor application adapted to 
monitor network activity associated with a network node, a profile application stored in 
the memory and executable by the processor, the profile application adapted to 
automatically generate an activity profile associated with the network node using the 
monitored network activity, and a recognition engine stored in the memory and 
executable by the processor, the recognition engine adapted to compare a network 
event to the activity profile to determine whether the network event is authorized for the 
network node (Col. 3, lines 30-67 and Col. 4, lines 1-48). 

Regarding claims 2-4, Rowland discloses wherein the network activity comprises 
inbound data communications and outbound data communications (Col. 4, lines 30-48). 

Regarding claim 5, Rowland discloses wherein the profile application generates 
the activity profile corresponding to network activity occurring over a predetermined time 
period (Col. 4, lines 15-30). 

Regarding claims 6, 17, 26, and 28, Rowland discloses wherein the profile 
application is further adapted to automatically update the activity profile in response to a 
predetermined event (i.e., login events)(Col. 4, lines 30-48). 
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Regarding claims 7, 18, 25, 29, and 33, Rowland discloses wherein the profile 
application is further adapted to automatically update the activity profile corresponding 
to a predetermined time period (i.e., the log auditing function can run on a periodic basis 
with the period selected by the user or it can run continuously in real-time)(Col. 4, lines 
30-48). 

Regarding claims 8, 16, and 32, Rowland discloses wherein the recognition 
engine is further adapted to block the network event if the network event exceeds the 
activity profile (i.e., blocking access to the computer system)(Col. 6, lines 13-67 and 
Col. 7, lines 1-67 and Col. 8, lines 1-24). 

Regarding claims 9, 15, and 20, Rowland discloses wherein the profile 
application is further adapted to automatically update the activity profile if the network 
event is authorized (i.e., if the user is logging into the system, the monitor 
builds/updates the user profile database and updates the active user database)(Col. 4, 
lines 30-48). 

Regarding claims 10, 14, 22, and 30, Rowland discloses further comprising an 
event library accessible by the recognition engine to determine whether the network 
event is authorized, the event library comprising information associated with authorized 
network activities not reflected in the activity profile (Col. 7, lines 55-67 and Col. 8, lines 
1-8). 
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Regarding claim 1 1 , Rowland discloses a method for network intrusion detection, 
comprising: 

monitoring network activity associated with network node for predetermined time 
period, automatically generating an activity profile corresponding to the network node 
using the monitored network activity, identifying a network event associated with the 
network node, and automatically determining whether the network event is authorized 
for the network node using the activity profile (Col. 4, lines 15-67 and Col. 5, lines 1-67 
and Col. 6, lines 1-12). 

Regarding claims 12, 21, and 31, Rowland discloses wherein monitoring the 
network activity comprises monitoring the network activity comprising inbound data 
communications and outbound data communications associated with the network node 
(i.e., port scanning)(Col. 6, lines 13-67 and Col. 7, lines 1-40). 

Regarding claims 13 and 23, Rowland discloses wherein monitoring the network 
activity comprises monitoring network application usage corresponding to the network 
node (Col. 8, lines 46-67 and Col. 9, lines 1-52). 

Regarding claim 24, Rowland discloses wherein the recognition engine is further 
adapted to generate an event alarm log for the network event if the network event is not 
authorized (Col. 8, lines 46-67 and Col. 9-10, lines 1-67 and Col. 11, lines 1-42). 
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Regarding claim 27, Rowland discloses a computer program for assisting in 
network intrusion detection, comprising; 

a computer-readable medium, and a profile application stored on the computer- 
readable medium, the profile application adapted to monitor network activity and 
generate an activity profile using the monitored network activity, the activity profile used 
to determine whether a network event is authorized (Col. 3, lines 30-67 and Col. 4, lines 
1-48). 



Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Lermuzeaux et al., (U.S. Patent No. 5,621 ,889), 

Milliken et al., (U.S. Publication No. 2004/0073617), 

Epstein etal., (U.S. Patent No. 6,584,508), 

Sheih et al., (U.S. Patent No. 5,278,901 ), 

Milliken et al., (U.S. Publication No. 2004/0064737), and 

Guheen et al., (U.S. Patent No. 6,473,794). 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Arezoo Sherkat whose telephone number is (571) 272- 
3796. The examiner can normally be reached on 8:00-4:30 Monday-Friday. 
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If attempts to reach the examiner by telephone are unsuccessful, the examinees 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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